Welcome to my new blog here on www.windowsecurity.com! My name is Dr. Tom Shinder and you might know me from my years over at www.isaserver.org. For the last ten years of my work life, I’ve dedicated myself to consulting and writing about Microsoft networking and security topics. During the last decade, I’ve had the opportunities to write on my own, or in collaboration with others, over 30 books on planning, installing, operating and securing Microsoft networks.

In this blog, and in the articles I’ll publish on www.windowsecurity.com, I’ll focus on Microsoft security technologies and products and how you can use those products and technologies to help secure your network and reach the ever increasing regulatory compliance issues that you’ll encounter over the coming years. I think you’ll be amazed at how Microsoft has changed from a company that paid relatively little attention to security in the past to one that has one of the most comprehensive security product and technology portfolios in the computer software industry today.

Another thing about this blog is that I’ll try to orient toward the MS network admin who isn’t planning on become the security expert in his organization. This means that I’ll focus on things that you can do to defend and protect your network now. I won’t try to turn you into a hacker, and I won’t try to educate you into the hacker’s mindset. Instead, I hope to provide you with the tools, technologies and methodologies that you can use to protect yourself from the bad guys, without trying to teach you how to become one of the bad guys.

I’m looking forward to working with all of you in the years to come and hope that we’ll have some active and professional discussions on this blog. We can all learn something from each other and ideally I’ll learn more from all of you than you learn from me! Just about everything I know I’ve learned from someone else, so let’s hope that positive trend continues on this blog.

I’ve configured to blog to notify me when you post a reply and I’ll try to reply ASAP after your post.

Thanks!

My friend Steve Riley is at it again — this time with a new twist. In a blog post over at http://blogs.technet.com/steriley/archive/2008/06/...6.aspx he describes a vision where the corpnet can be extended to any location in the world. Thus, there will be no difference between an “internal” host and an “external” host. All managed clients will be considered as part of the same security zone (corpnet), regardless of their location.

This solution depends on two core technologies:

• Universal connectivity using IPv6
• Connection security and privacy provided by IPsec

IPv6 will remove all NAT requirements and Steve says that all you need is a router configured to allow inbound UDP 500 (for IKE) and TCP protocol 50 (for ESP). That’s it. No need for firewalls at the corpnet edge, since there will no longer be a corpnet, just a worldwide network of managed clients that Group Policy, Forefront Client Security and NAP will protect.

It’s an attractive idea. Wouldn’t it be nice to join my kitchen computer to the distributed corpnet, the one that I share with the wife and kids ? And how about my main workstation at home, that should be a member of the corpnet too. And that laptop I lug around the world, connecting it to unsecure and unmanaged networks with great abandon, that should be part of the corpnet too. Sweet!

However, there’s a problem with this scenario that Steve hasn’t addressed — outbound access control and the ”quality” of clients.

First, let’s look at the outbound access control issue. Outbound access control has two primary goals — to prevent users from downloading stuff that the company doesn’t want on corpnet computers and to prevent users on corpnet computers from uploading stuff the company doesn’t want uploaded. We might also add a third goal — to prevent users from viewing information that could put the company at risk for any number of legitimate or illegitimate reasons (from a criminal and civil law perspective).

Steve’s “network of the future” doesn’t have any provisions for outbound access control. While Forefront Client Security is a great anti-malware solution, it doesn’t protect against zero-day threats. And while NAP does a darned good job at preventing unhealthy clients from connecting to the network, there’s more to the security game then just protecting us from known malware and unhealthy clients. Thus, without outbound access controls, you reduce the overall “quality” of the machines because they have an increased “attacker” surface, because of unrestricted access to any content using any protocol using any application.

So this first issue plays into the second problem with Steve’s “network of the future” — the “quality” of clients located on Steve’s distributed corpnet. Let’s look at an analogy.

A woman is in love with two men (hey, it can happen) and has decided that she wants to marry one of them so that she can settle down and have a happy life. She manages both of these men pretty well, except one of them has a long history of being a womanizer and has slept with hundreds of women in his life. However, she’s sure he’s given up that life to be with her. The other man has only been with one other woman in his life and has no history of womanizing.

What would you recommend to this woman? Both of these men have been “well managed” by her and she’s sure that she’ll be able to manage either one of them in the future. But would you say both of these men were of the same “quality” when it come to potential future risk?

Isn’t the womanizer much like the off-site computer that connects to a multiplicity of networks with unknown security states? And even if the Bedouin off-site computers were only connected to secure networks, who has been working on those computers and who is really logged onto those machines? What if the off-site “corpnet” machine is in the hands of an attacker — to what degree will that attacker be able to leverage his new found connectivity to the corpnet?

What do we do about this situation? It’s clear that off-site clients are in a different security zone than the “bolted-in” corpnet clients. But then again, is there such thing as a bolted-in corpnet client anymore? Many companies are providing laptop computers to their users that they can take home, and then they can bring them back and plug them into the corporate network. Are these machines any different than the off-site distributed network “new world order” corpnet machines?

So, maybe the issue of client “quality” is moot, and the concern regarding the difference in quality, and thus different security zones for mobile and “fixed” corporate assets is more apparent than real. This still leave the issue of outbound access controls.

Steve mentions enabling the Windows Firewall with Advanced Security on the clients. While this is a great suggestion for controlling inbound access (as is the router configuration to the physical “corpnet”), it does nothing for outbound access control.

So, what is the solution? I suspect the only way we can actually solve the problem and make Steve’s “network of the future” a reality is to have an ISA (actually it’ll be a TMG ) firewall on every client, and enable centralized management of that firewall via a consolidated agent, such as the Firewall client, which could be wrapped into the Forefront Client Security agent. Only after having this or a similar solution, will we get close enough close to leveling the playing field enough to make the “network of the future” a truly secure, distributed corpnet.

Next time, we’ll tackle the task of reperimeterization and the unmet challenges we have there.

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/UAG)

I’ve written a bit on how important a Security Development Lifecycle is to creating secure software. Without an SDL, software is designed for functionality first, and then security is “bolted on” at the end of the development process. This can lead to software with more security bugs then you’d care to think about. With an SDL, those bugs never find their way into the software, because the SDL process forces security issues to be considered from the initial inception of the software to the final code release. For any software purchase you make, you need to ask the vendor how they implement an SDL in their own software development process. If they can’t provide you this information, then you should reconsider the software purchase and look to a vendor that can provide you details of their SDL.

But what if you’re a software development house and you don’t have the knowledge or the talent in house to implement an effective SDL? There are a lot of options, but one of the best is to bring in some experts who can perform fast and effective knowledge transfer to bring your developers and project managers up to speed. Which experts should you choose? I think that you can’t do much better than the Microsoft ACE Team. The Microsoft Application Consulting and Engineering Team can do code reviews and train your staff in secure application development. I’ve had the chance to work with this team and they are top notch secure application development professionals.

For more information about Microsoft ACE, check out their blog at:

http://blogs.msdn.com/ace_team/default.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Microsoft Security Architect / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/UAG)

As all Microsoft security admins know, you have to be good at protocol analysis to find out what’s happening on the wire. But what’s the best protocol analyzer to use? There are plenty of commercial protocol analyzers you can use, but if you want to use a free one that provides commercial level functionality and flexibility, then it’s hard to do better than Network Monitor 3.

To learn more about NM 3, check out the video Help links on the Network Monitor blog at:

http://blogs.technet.com/netmon/archive/2008/07/11...3.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Shawn Travers presents a fine Webcast about Windows Vista security. Topics include:

• Windows Service Hardening
• Antispyware enhancements
• Antiphishing enhancements
• Windows Firewall with Advanced Security
• IPv6
• BitLocker
• EFS
• Smart Card enhancements
• And more!

Check out this on-demand Webcast at:

http://www.microsoft.com/events/series/detail/webc...312729

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Your network is running smoothly, your end users are happy with their new PDAs and laptops, and your boss thinks you’re a security genius, but how do you know what you’re defending against? Microsoft provides learning path resources to understand the current threat landscape and identify ways to help protect your business and customers. You’ll find analysis of data collected from millions of users—as well as respected security experts—complete with strategies, mitigations, and countermeasures to help you take next steps.

Check this learning guide out at:

http://technet.microsoft.com/en-us/security/cc5140...3.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Life on the corporate network is a calm and collected experience for the “bolted in” workstation. That bolted in workstation never leaves the corporate network, and is always protected by the multiplicity of devices and technologies that we use to make sure that the corpnet is secure.

But life is different for the laptop computer. Sure, that corporate issued laptop might be connected to the corpnet and enjoy the Life of Ryan when protected by the full faith and credit of corporate IT, but once that laptop leaves the confirms of your well managed corpnet, that poor thing is on it’s on. That Bedouin laptop will need to fend for itself and try to protect itself from all the bad things out there on other networks.

But how can you help your road warriors win the battles encountered out there on all the unmanaged networks in the world? You need to teach your users how to configure their computers and work with their computers so that they can go it alone and come back to your corpnet uncompromised.

Can it be done? I think so. One good way to get started on this mission is to check out Tony Bradley’s article on the Microsoft.com Web site. The article is titled Going It Alone: How Mobile PCs Protect Themselves Outside of the Network and you can find it at:

http://technet.microsoft.com/en-us/library/cc748609.aspx

Let me know what you think of this article by posting a response on this blog.

Thanks!

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

The Infrastructure Planning and Design (IPD) guides are the next version of Windows Server System Reference Architecture. The guides in this series help clarify and streamline design processes for Microsoft infrastructure technologies, with each guide addressing a unique infrastructure technology or scenario.

Among this group of documents is the Selecting the Right NAP Architecture guide. This guide will help you decide what NAP enforcement method is best for you and then guides you through the planning and design phases (helpful, but most of use could use help with implementation too).

Check it out at:

http://www.microsoft.com/downloads/details.aspx?Fa...ang=en

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Of course, with all of this talk of Vista security, we can’t forget the most interesting and useful piece of Vista security documentation — the Windows Vista Security Guide.You can find the Windows Vista Security Guide over at:

http://www.microsoft.com/downloads/details.aspx?fa...ang=en

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

The last blog entry pointed to the Vista Kernel article by Mark Russinovich. That was a nice overview of the security features. For a more comprehensive article that provides even more information on why Vista is the most secure client operating system on which to run your applications, check out this article The Advantages of Running Applications on Windows Vista at http://msdn.microsoft.com/en-us/library/bb188739.aspx

That article is great and discusses a great number of topics and technologies that enhance the security provided by the Vista client. Many Windows admins most likely take advantage of only a fraction of the security technologies available in Vista. That’s a shame, as the article shows the tremendous number of options available to you. And when you pair Vista with Windows Server 2008, well, it doesn’t get much more secure than that for client/server communications.

Make sure to check the front page of this site on a regular basis! I recently showed you how to put together a simple proof of concept of domain isolation. Next week I’ll show you how to put together a simple DHCP NAP enforcement solution. While the DHCP NAP enforcement solution is the least impressive in terms of security, it’s the most simple and will allow you to dip your toes into the NAP waters before we get into more interesting NAP scenarios, such as NAP with Heath Certificate enforcement and NAP with the Terminal Services gateway.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)